Flexible LDAP attributes

Repfilter's operation depends on information on each sender of email; this information comes from the LDAP object each user must have in the directory. The information Repfilter uses is contained in standard attributes (like cn, mail) and in some Repfilter-specific attributes. Additionally the attribute names are configurable, so Repfilter isn't tied to one specific LDAP schema.

Below we list the attributes and what they stand for. The attribute names used here are the default names, unless the configuration specifies other names.

cn
The common form of the full name of the sender. This name and any alternate language names the LDAP server returns (for example cn;lang-el for greek) are considered valid to appear in the From header. The name of this attribute is controlled by the attr_common_name configuration option.
mail
The default email address of the sender. This email address is considered valid as an envelope address or as an address in the From header. The name of this attribute is controlled by the attr_mail configuration option.
mailAlternateAddress
A multi-value attribute whose values are alternate email addresses that the user is permitted to use both as the envelope address and in the From header. This is a Repfilter-specific attribute. It is introduced so that users can have some flexibility as to what email address they use. An administrator may add addresses himself or permit users to add their own addresses. This attribute is similar to the mailLocalAddress attribute or the mailAlternateAddress attribute from the inetLocalMailRecipient object class (see Internet Draft: LDAP Schema for Intranet Mail Routing). The name of this attribute is controlled by the attr_alt_mail configuration option.
mailAuthorizedAddress
A multi-value attribute whose values are pairs of names and addresses. Each value is just as it might appear in the From header of some message and is parsed as such. For example it might have the form "Real Name <user@domain>". The addresses are then considered valid to be used as the envelope address, but are only valid in the From header if used in conjuction with the specified name. In our previous example Repfilter would consider the name "Real Name" and the address "user@domain" valid if they appeared together in a From header, but not just one or the other. This attribute is Repfilter-specific. The name of this attribute is controlled by the attr_authed_mail configuration option.
mailAuthorizedReplyTo
A multi-value attribute whose values are email addresses that are considered valid to be used in the Reply-to header of an email message. This attribute is Repfilter-specific The name of this attribute is controlled by the attr_replyto configuration option.

Configurable policy

Not every organization has the same needs, so it's only natural that Repfilter offers configurable levels of strictness. The different actions Repfilter may take depend on which part of the message is found to be invalid:

Envelope address
Repfilter will reject a message with an invalid envelope address (i.e. one that does not appear in the mail, mailAlternateAddress or mailAuthorizedAddress attributes). This policy is not configurable.
From header

The From header in an email message is usually composed of one or more name and addresses. An address will be considered valid if it appears in the mail or mailAlternateAddress. A name will be considered valid if it appears as one of the cn attributes. Additionaly if both the name and address appear together in one of the values of the mailAuthorizedAttributes then they are both considered valid.

If an address is invalid then repfilter will act according to the policy specified in the from_address_policy configuration option. Possible values are:

  • accept, whereby the address will be permitted to appear in the From header.
  • delete, whereby the address will be deleted from the From header.
  • reject, whereby the whole message will be rejected with a 5.x.x error code.
The default action is reject an invalid address.

If a name is invalid then repfilter will act according to the policy specified in the common_name_policy configuration option. Possible values are:

  • accept, whereby the name will be permitted to appear alongside an also valid address in the From header.
  • correct, whereby the name will be removed and the senders default name will be substituted. The default name is usually the contents of the cn LDAP attribute.
  • delete, whereby the invalid name and the address it accompanies will be deleted from the From header.
  • reject, whereby the whole message will be rejected with a 5.x.x error code.
The default action is to correct an invalid name.

Reply-to header
The Reply-to header contains one address which will be considered valid if it appears in the mailAuthorizedReplyTo LDAP attribute. If a Reply-to header contains an invalid address then the replyto_policy configuration option dictates one of the below:
  • accept, whereby the header will be accepted.
  • delete, whereby the whole header will be removed from the message.
  • reject, whereby the whole message will be rejected with a 5.x.x error code.
The default action is to accept an invalid reply-to header.
Sender header
Repfilter, by default, will add or replace an existing header so that the message always contains a Sender header with the default email address of the sender. This is configurable via the addsender configuration option.

Helpfull to users